b" Pen\n   nsion Benefit\n         B       Guaran\n                      nty Corrporatio\n                                    on\n      Office\n           e of Ins\n                  specto\n                       or Gen\n                            neral\n                Aud\n                  dit Repo\n                         ort\n\n\n\n\n  Report on Internall Contro\n                           ols Relatted to th\n                                            he\nPension Bennefit Gua\n                   aranty Corporat\n                           C        tion\xe2\x80\x99s Fis\n                                             scal\nYear 2012\n     2    and 2011 Financia\n                   F        al Statem\n                                    ments Audit\n                                            A\n\n\n\n\n              Novem\n                  mber 15, 2012\n                                      AUD-2013\n                                             3-2/FA-12-88--2\n\x0cThis page intentionally left blank.\n\x0c\x0cThis page intentionally left blank.\n\x0c                 Report on Internal Controls Related to the\n                  Pension Benefit Guaranty Corporation\xe2\x80\x99s\n              Fiscal Year 2012 and 2011 Financial Statements\n\n\n                   Audit Report AUD-2013-2 / FA-12-88-2\n\n\n                                  Contents\n\n\nSection I:     Independent Auditor\xe2\x80\x99s Report\n\nSection II:    Management Comments\n\n\n                                  Acronyms\n\nACL            Access Controls List\nA&A            Assessment and Authorization\nASD            Actuarial Services Division\nASCGSS         Agency Security Controls General Support System\nBAPD           Benefits Administration and Payment Department\nCMS            Case Management System\nCOTS           Commercial-Off-The Shelf\nCCRM           Configuration, Change, and Release Management\nCI             Configuration Item\nCFS            Consolidated Financial System\nCOOP           Continuity of Operations Program\nCCRD           Contracts and Control Review Department\nCAP            Corrective Action Plan\nDoPT           Date of Plan Termination\nEDM            Enterprise Data Model\nELAN           Enterprise Local Area Network\nETA            Enterprise Target Architecture\nFIPS PUB       Federal Information Processing Standards Publication\nFMFIA          Federal Managers\xe2\x80\x99 Financial Integrity Act of 1982\nFY             Fiscal Year\nIPS            Image Processing System\nIAH            Information Assurance Handbook\nIPVFB          Integrated Present Value of Future Benefits\nISA            Interagency Service Agreement\n\x0cISO       Information System Owner\nIT        Information Technology\nMOU       Memorandum of Understanding\nNIST SP   National Institute of Standards and Technology Special Publication\nOIG       Office of Inspector General\nOIT       Office of Information Technology\nOMB       Office of Management and Budget\nOPM       Office of Personnel Management\nPRISM     Participant Records Information Systems Management\nPLUS      Pension and Lump Sum System\nPBGC      Pension Benefit Guaranty Corporation\nPII       Personally Identifiable Information\nPOA&M     Plan of Action and Milestones\nPAM       Portfolio Accounting and Management\nPAS       Premium Accounting System\nPPS       Premium and Practitioner System\nPVFB      Present Value of Future Benefits\nRTM       Requirements Traceability Matrix\nTAS       Trust Accounting System\nTIS       Trust Interface System\nTPD       Trusteeship Processing Division\n\x0c   Report on Internal Controls Related to the\n    Pension Benefit Guaranty Corporation\xe2\x80\x99s\nFiscal Year 2012 and 2011 Financial Statements\n\n\n    Audit Report AUD-2013-2 / FA-12-88-2\n\n\n\n\n                 Section I\n\n     Independent Auditor\xe2\x80\x99s Report\n\x0cThis page intentionally left blank.\n\x0c\xc2\xa0\n                                                                         CliftonLarsonAllen LLP\n                                                                         11710 Beltsville Drive, Suite 300\n                                                                         Calverton, MD 20705\n                                                                         301-931-2050 | fax 301-931-1710\n                                                                         www.cliftonlarsonallen.com\n\n\n\n                             Pension Benefit Guaranty Corporation\n\n\nTo the Board of Directors, Management,\nand Inspector General of the\nPension Benefit Guaranty Corporation\nWashington, DC\n\nWe have audited the financial statements of the Pension Benefit Guaranty Corporation (PBGC or\nthe Corporation) as of and for the year ended September 30, 2012, and have examined\nmanagement\xe2\x80\x99s assertion included in PBGC\xe2\x80\x99s Annual Report about the effectiveness of the internal\ncontrol over financial reporting (including safeguarding assets); and PBGC's compliance with\ncertain provisions of laws, regulations, and other matters, and have issued our combined report\nthereon dated November 14, 2012 (see Office of Inspector General (OIG) report AUD-2013-1/FA-\n12-88-1).\n\nWe conducted our audit and examination in accordance with auditing standards generally accepted\nin the United States of America; Government Auditing Standards, issued by the Comptroller\nGeneral of the United States; attestation standards established by the American Institute of\nCertified Public Accountants; and Office of Management and Budget (OMB) audit guidance.\n\nThe purpose of this report is to provide more detailed discussions of the specifics underlying the\nmaterial weaknesses reported in the internal control section of our combined report on PBGC\xe2\x80\x99s\nfiscal year (FY) 2012 financial statements. As reported in our combined report on PBGC\xe2\x80\x99s FY 2012\nfinancial statements, we identified certain deficiencies in internal control that we consider material\nweaknesses, and other deficiencies that we consider to be a significant deficiency.\n\nSummary\n\nPBGC protects the pensions of approximately 43 million workers and retirees in more than\n25 thousand private defined benefit pension plans. Under Title IV of the Employee Retirement\nIncome Security Act of 1974, PBGC insures, subject to statutory limits, pension benefits of\nparticipants in covered private defined benefit pension plans in the United States. To accomplish its\nmission and prepare its financial statements, PBGC relies extensively on the effective operation of\nthe Benefits Administration and Payment Department (BAPD) and information technology (IT).\nInternal controls over these operations are essential to ensure the confidentiality, integrity, and\navailability of critical data while reducing the risk of errors, fraud, and other illegal acts.\n\nBAPD manages the termination process for defined benefit plans, provides participant services\n(including calculation and payment of benefits) for PBGC-trusteed plans, provides actuarial support\nfor PBGC, and carries out PBGC's responsibilities under settlement agreements. BAPD has several\ndistinct divisions including Trusteeship Processing Divisions (TPDs) and the Actuarial Services\nDivision (ASD). The TPDs are responsible for capturing the participant data for benefit\ndeterminations, managing the benefit payments to participants and beneficiaries, and maintaining\nthe pension plan and participant files that includes underlying documentation used to support the\ncalculation of benefit amounts for the participant and the pension liabilities recorded on PBGC\n\n                                                  1   \xc2\xa0\n\xc2\xa0\n\x0c\xc2\xa0\n\n\nfinancial statements. The ASD is responsible for calculating the Present Value of Future Benefits\n(PVFB) liability, based on actuarial assumptions and methods. ASD uses the underlying\ndocumentation maintained by the TPDs, as well as mortality tables and interest rate factors, as key\ninputs to calculate pension plan liabilities recorded on PBGC\xe2\x80\x99s financial statements.\n\nBAPD continues to have serious control weaknesses throughout the department. These\nweaknesses are attributed to BAPD\xe2\x80\x99s management and oversight over the processes needed to\ncalculate and value participant\xe2\x80\x99s benefits and the related liabilities, as well as to value plan assets.\nSuch weaknesses increase significant risks to PBGC\xe2\x80\x99s operations including accurate calculation of\nplan participants\xe2\x80\x99 benefits, accurate financial reporting, and compliance with prescribed laws and\nregulations. In FY 2012 and 2011, PBGC hired a contractor to perform a review of its programs and\nactivities for improper payments in accordance with the Improper Payment Elimination and\nRecovery Act. In addition to identifying that actual improper payments occurred, the contractor\nfound that the underlying documentation used to support the benefit payments was not always\navailable. Similar documentation is used to support the actuarial calculations of PBGC pension plan\nliabilities and related expenses. During FY 2012, we continued to identify numerous deficiencies in\nBAPD controls that included inadequate documentation to support the calculation of participants\xe2\x80\x99\nbenefits and liabilities, errors in their liability calculations, and errors in valuing plan assets.\n\nThe establishment and implementation of the appropriate internal controls are critical to PBGC\noperations. Furthermore, reliable internal controls ensure that the programs achieve their intended\nresults; resources are used consistent with agency mission, programs and resources are protected\nfrom waste, fraud, and mismanagement; laws and regulation are followed; and reliable and timely\ninformation is obtained, maintained, reported and used for decision making as stated in the OMB\nCircular A-123, Management\xe2\x80\x99s Responsibility for Internal Control. In order to mitigate operational\nand financial reporting risks to PBGC as a whole, active involvement from BAPD\xe2\x80\x99s senior\nleadership in the monitoring and response to such risks is warranted on a continuous basis.\n\nIn response to weaknesses previously identified above, BAPD continues to undergo a strategic\nreview with the intention of addressing the organizational structure and operational issues. In\nFY 2012, BAPD hired a new Director and continued efforts to develop a plan to address the\ndeficiencies noted in prior OIG financial statements and performance audit reports. PBGC intends\nthe plan to focus on fundamental issues such as internal controls, processes, contractor oversight,\ntraining, and staff competencies.\n\nIT continues to be a challenge for management. The safeguarding of PBGC\xe2\x80\x99s systems and data is\nessential to protect PBGC\xe2\x80\x99s operations and mission. The OIG and others have consistently\nidentified serious internal control vulnerabilities and systemic security control weaknesses in the IT\nenvironment over the last several years. PBGC\xe2\x80\x99s delayed progress in mitigating these deficiencies\nat the root-cause level continued to pose increasing and substantial risks to PBGC\xe2\x80\x99s ability to carry\nout its mission during FY 2012. Due to the persistent nature and extended time required to mitigate\nsuch vulnerabilities, additional risks threaten PBGC\xe2\x80\x99s ability to safeguard its systems. These risks\ninclude technological obsolescence, inability to execute corrective actions, breakdown in\ncommunications, and poor monitoring.\n\nPBGC has made some progress in addressing IT security weaknesses at the root-cause level by\ncontinuing the implementation of its FY 2010 Enterprise Corrective Action Plan (CAP), and\nintroducing additional reporting controls to track progress. Additional tracking controls include the\nEnterprise Plan of Action and Milestones (POA&M) and the Progress Status Reports on corrective\nactions. However, the current PBGC corrective action process was disjointed, with stove-piped\nresponsibilities that did not provide a holistic view to inform key decision makers on progress made\n\n                                                   2   \xc2\xa0\n\xc2\xa0\n\x0c\xc2\xa0\n\n\nand resources needed to complete critical tasks. PBGC is in the process of improving its corrective\naction process to be more cohesive where the CAP will inform the POA&M which will, in turn,\nprovide the Contracts and Control Review Department (CCRD) with the official status of corrective\nactions to be included in the Listing of Open OIG Recommendations.\n\nThe Corporation has also made progress in addressing the design of its infrastructure, account\nmanagement, enterprise security management, and configuration management, but the control\nprocesses have not reached a level of maturity to prove their effectiveness. PBGC is implementing\na disciplined and integrated approach to Configuration, Change, and Release Management\n(CCRM) process and procedures consistent with NIST SP 800-53, Rev 3. The Corporation has also\ndeveloped and is implementing additional policies and procedures; additional technical and\nconfiguration management tools are also being deployed. However, much remains to be done, and\nthe pace of progress remains slow.\n\nPBGC anticipated completing the assessment and authorization (A&A) process, formerly referred to\nas a certification and accreditation process, on the Corporation\xe2\x80\x99s major applications in FY 2012, but\nwas unable to complete the process. The work on the A&As that has been performed through\nFY 2012 identified significant fundamental security control weaknesses in PBGC\xe2\x80\x99s general support\nsystems, many of which were reported in prior year\xe2\x80\x99s audits and remain unresolved. We continued\nto find deficiencies in the areas of security management, access controls, configuration\nmanagement, and segregation of duties. Control deficiencies were also found in policy\nadministration, and the completion of A&A for all major applications.\n\nPBGC developed an information security policy framework, including the Information Security\nPolicy which is supported by standards, processes, procedures, and a guide published in June\n2012, The Office of Information Technology (OIT) Security Authorization Guide. This Guide\nprovides steps and templates for use in preparing and completing the Security Authorization and\nAssessment process which follows National Institute of Standards and Technology (NIST) Special\nPublication (SP) 800-37. Also, the Guide provides a checklist to support OIT\xe2\x80\x99s review of submitted\nartifacts as evidence of controls implemented. PBGC is documenting the review process with the\nchecklist. The new information security policy framework has not reached a level of maturity to\ndetermine its effectiveness. PBGC is still in the process of establishing an enterprise-wide\ncontinuous monitoring program; and deploying additional network management, monitoring and\nconfiguration tools in its environment.\n\nThe serious weaknesses in BAPD\xe2\x80\x99s internal controls such as inadequate documentation to support\nthe benefit and liability calculations, errors in liability calculations and valuing plan assets, as well as\nthe limited progress of mitigating PBGC\xe2\x80\x99s systemic security control weaknesses create an\nenvironment that could lead to improper application of benefits to plan participations, inaccurate\nfinancial reporting and fraud, waste, and abuse.\n\nBased on our findings, we are reporting that the deficiencies in the following areas constitute three\nmaterial weaknesses for FY 2012:\n\n    1. Benefits Administration and Payment Department Management and Oversight\n    2. Entity-wide Security Program Planning and Management\n    3. Access Controls and Configuration Management\n\n\n\n\n                                                     3   \xc2\xa0\n\xc2\xa0\n\x0c\xc2\xa0\n\n\nWe are also reporting the deficiencies in the following area to be a significant deficiency for\nFY 2012:\n\n    4. Integrated Financial Management Systems\n\nDetailed findings and recommendations follow.\n\n1. Benefits Administration and Payment Department Management and Oversight\n\n    BAPD is the core department within PBGC to maintain plan and participant information, and to\n    calculate plan benefits and related liabilities. BAPD\xe2\x80\x99s management and oversight function is a\n    key component of the control environment in which its division managers and staff operates.\n    The continuous deficiencies of the aforementioned function increase PBGC\xe2\x80\x99s operational and\n    financial reporting risks.\n\n    Calculation of the Present Value of Future Benefits Liability\n\n    During FY 2012, BAPD made errors in calculating the PVFB liability for some participants. ASD\n    is primarily responsible for the calculation of the PVFB that is recorded on PBGC\xe2\x80\x99s financial\n    statements based on actuarial assumptions and methods. These calculation errors were\n    primarily due to two reasons: (1) the actuarial liability factors were applied to incorrect or\n    incomplete data inputs and (2) a plan's particular benefit provisions were not sufficiently\n    reviewed to correctly calculate individual participants' PVFB liability. Specifically, BAPD\xe2\x80\x99s ASD\n    used actuarial assumptions because the best available data was not updated into the applicable\n    information system. For example, in some instances an actual date of birth was used to\n    calculate a specific benefit but the estimated date of birth was entered in the applicable\n    information system causing the liability to be incorrect. In other instances, ASD incorrectly\n    calculated certain liabilities of the participants using a single life annuity benefit plan provision\n    instead of the joint and survivorship benefit. During our June 30 interim testing, we identified an\n    error in the calculation of the participant liability for one large plan related to one of the plan\xe2\x80\x99s\n    unique provisions. Management was not aware of this unique plan benefit and that it had been\n    inappropriately excluded from the participants\xe2\x80\x99 liability calculations. This error required\n    additional efforts by BAPD management to determine the underlying cause and to calculate an\n    overall plan adjustment to PBGC\xe2\x80\x99s liability at September 30. Due to these errors noted during\n    the interim period, we adjusted our year-end audit procedures to address the increased\n    operational and financial reporting risks. Using a statistically based sampling technique, we\n    noted approximately 13% of the samples tested in which the liability calculated for a plan\n    participant was either overstated or understated. The projected value of the error to the entire\n    PVFB liability of approximately $106 billion at September 30, 2012, had an estimated range of\n    approximately $507 million understatement to $875 million overstatement and a point estimate\n    of $185 million overstatement.\n\n    We also noted deficiencies in BAPD\xe2\x80\x99s maintenance of underlying documentation used to\n    support the calculation of the PVFB. BAPD\xe2\x80\x99s TPDs are primarily responsible for maintaining the\n    plan and participant files utilized to determine the benefit and liabilities amounts owed to plan\n    participants. The information system that maintains the participant documentation such as birth\n    certificates, marriage certificates, participant benefit applications, plan provisions, salary data,\n    etc., is the Image Processing System (IPS). During our testing at June 30 and September 30,\n    BAPD was not able to provide the documentation needed to support liability calculations for\n    some samples. We also noted that the documentation was not maintained in a single\n    systematic manner and required herculean efforts by BAPD and other PBGC departments to\n\n                                                   4   \xc2\xa0\n\xc2\xa0\n\x0c\xc2\xa0\n\n\n    locate and provide the documentation. The lack of appropriate documentation results in limited\n    physical and financial controls, and could lead to improper benefit payment and participant\n    liability calculations by PBGC. Consequently, we could not determine whether the benefits or\n    the associated liability was calculated properly for those selected samples at June 30 and\n    September 30.\n\n    Last year we reported several deficiencies in BAPD related to documentation, including the\n    need to require archival of source documents, implementation of controls to ensure monitoring\n    and enforcement of procedures requiring document maintenance, and to improve the training of\n    persons tasked with calculating and reviewing benefit determinations. These deficiencies have\n    not yet been corrected.\n\n    Because of errors in the liability calculations and the lack of supporting documentation, PBGC is\n    at risk for inaccurately valuing the plan liabilities reported in its financial statements. Also, these\n    deficiencies could impact PBGC management\xe2\x80\x99s ability to provide meaningful and accurate\n    information to its key stakeholders such as the plan participants, the Board, Congress, and\n    OMB.\n\n       Recommendations:\n\n       o   PBGC should promptly correct the errors in its calculations identified by the auditors.\n           (OIG Control Number # FS-12-01)\n\n       o   PBGC should develop and implement a comprehensive documentation retrieval system\n           that clearly identifies the location of the participants\xe2\x80\x99 census data and benefit calculation\n           elements in a systematic manner. (OIG Control Number # FS-12-02)\n\n       o   PBGC should update the technical reference guide used by ASD to document the\n           procedures used to calculate the qualified pre-survivor annuity and deferred retirement\n           ages. (OIG Control Number # FS-12-03)\n\n       o   Update current procedures to ensure that all plan provisions are considered in the\n           calculation of the individual participant liability. The procedures should be documented in\n           a formal procedural manual and/or checklist. (OIG Control Number # FS-12-04)\n\n       o   PBGC should refine their current procedures for processing plans and uploading\n           participant data in the Genesis database to ensure that the best available data is used to\n           support benefit payments and Integrated Present Value liabilities. (OIG Control Number\n           # FS-12-05)\n\n       o   Modify the BAPD Operations Manual to explicitly incorporate policies and procedures to\n           archive source records. The BAPD Operations Manual details the process of creating\n           the participant database, but does not explicitly require the archival of source records.\n           (OIG Control Number # FS-11-10) (PBGC scheduled completion date: June 30,\n           2014)\n\n       o   Ensure that adequate documentation is maintained, which supports, substantiates, and\n           validates benefit payment calculations by implementing proper monitoring and\n           enforcement measures in compliance with approved policies and procedures. (OIG\n           Control # FS-11-11) (PBGC scheduled completion date: June 30, 2012)\n\n                                                    5   \xc2\xa0\n\xc2\xa0\n\x0c\xc2\xa0\n\n\n       o   Improve the training of persons tasked with the calculation and review of benefit\n           determinations to ensure their skills are matched with the complexities of the tasks\n           assigned. (OIG Control # FS-11-12) (PBGC scheduled completion date: December\n           31, 2012)\n\n    Valuation of Plan Assets and Benefits\n\n    Although BAPD has undertaken efforts to revalue assets for certain pension plans trusteed by\n    PBGC, internal control weaknesses in this area continue to merit focus. The fair market value of\n    a pension plan\xe2\x80\x99s assets at the date of plan termination (DoPT) is an essential factor needed to\n    determine the retirement benefit amounts owed to plan participants. The lack of BAPD\xe2\x80\x99s\n    effective oversight and monitoring of contracted reviews over asset valuations continued to\n    pose significant risks to the participants\xe2\x80\x99 benefit determinations. During FY 2012, BAPD hired\n    contractors to perform revaluations of plan assets for some large plans which resulted in\n    increased benefits owed to certain plan participants. BAPD management stated that a risk\n    analysis is currently underway to determine which additional pension plans may have asset\n    valuation misstatements and pose the greatest risks to the participants\xe2\x80\x99 benefit payments. This\n    risk analysis was not complete at September 30, 2012. In addition, management has yet to\n    finalize a quality control review process to verify and validate the satisfactory completion of\n    contracted DoPT plan asset valuation audits, and to establish a detailed process to ensure the\n    consistent application of a methodology to determine the fair market value of plan assets at\n    DoPT at September 30, 2012.\n\n    Additional weaknesses identified as part of the prior year financial statement audit stemmed\n    from inadequate management of contractors, a condition that continues to exist. As previously\n    discussed, these contractors perform critical functions such as the valuing of plan assets.\n    Services provided by contractors should be subject to an effective system of internal controls.\n    Management has not always fully considered the exposure and risk that contractors introduce\n    into its environment. BAPD intended to develop corrective action plans in FY 2012 to focus on\n    fundamental issues such as internal controls, processes, contractor oversight, and training and\n    staff competencies. However, the development of these plans was still in progress at\n    September 30, 2012.\n\n       Recommendations:\n\n       o   Continue to implement procedures to verify that future contracts for plan asset\n           valuations clearly outline expectations and deliverables in the statement of work.\n           (OIG Control Number # FS-11-06) (PBGC scheduled completion date: April 30,\n           2013)\n\n       o   Continue to develop a quality assurance program aimed to ensure that plan asset\n           valuations meet the regulatory standard of determining fair market value based on the\n           method that most accurately reflects fair market value. (OIG Control Number # FS-11-\n           07) (PBC scheduled completed date: April 30, 2013)\n\n       o   Continue to enhance and formalize efforts to improve staff skills, whether Federal or\n           contactor, in planning the valuation reviews, understanding the risks, and developing\n           appropriate scopes and procedures to support credible and reliable results.\n           (OIG Control Number # FS-11-08) (PBC scheduled completed date: April 30, 2013)\n\n\n\n                                                 6   \xc2\xa0\n\xc2\xa0\n\x0c\xc2\xa0\n\n\n        o   Identify those plans that might potentially have a pervasive misstatement to the financial\n            statements if DoPT asset values were originally misstated. Management should then re-\n            evaluate the DoPT asset values for those identified plans and consider the impact of any\n            known differences on the financial statements. (OIG Control Number # FS-11-09) (PBC\n            scheduled completed date: December 30, 2012)\n\n2. Entity-wide Security Program Planning and Management\n\n    In prior years, we reported that PBGC\xe2\x80\x99s entity-wide security program lacked focus and a\n    coordinated effort to adequately resolve control deficiencies. Deficiencies persisted in FY 2012,\n    which prevented PBGC from implementing effective security controls to protect its information\n    from unauthorized access, modification, and disclosure. Without a well-designed and fully\n    implemented information security management program, there is increased risk that security\n    controls are inadequate; responsibilities are unclear, misunderstood, and improperly\n    implemented; and controls are inconsistently applied. Such conditions may lead to insufficient\n    protection of sensitive or critical resources and disproportionately high expenditures for controls\n    over low-risk resources.\n\n    An entity-wide information security management program is the foundation of a security control\n    structure and a reflection of senior management\xe2\x80\x99s commitment to addressing security risks. The\n    security management program should establish a framework and a continuous cycle of activity\n    for assessing risk, developing and implementing effective security procedures, and monitoring\n    the effectiveness of these procedures.\n\n    In the Federal Information Security Management Act of 2002, Congress required each federal\n    agency to establish an agency-wide information security program to provide security to the\n    information and information systems that support the operations and assets of the agency,\n    including those managed by a contractor or other agency. OMB Circular No. A-130, Appendix\n    III, Security of Federal Automated Information Resources, requires agencies to implement and\n    maintain a program to assure that adequate security is provided for all agency information\n    collected processed, transmitted, stored, or disseminated in general support systems and major\n    applications.\n\n    The specific weaknesses we found that contributed to the material weakness and our\n    recommendations to correct them are as follows:\n\n    \xef\x82\xb7   PBGC had not completed A&As for any major applications. However, PBGC continued to\n        improve the PBGC Enterprise Information Security Program which includes strengthening\n        the system authorization process, verifying contractor A&A deliverables, and ensuring their\n        quality and conformance to the statement of work as well as to the objectives of the PBGC\n        risk management process and NIST SP 800-53. PBGC has focused on updating the\n        underlying policies, strengthening the security program overall, obtaining quality contractors\n        to conduct the assessments, and ensuring PBGC prepare for and begin the execution of the\n        system authorization process.\n\n    \xef\x82\xb7   NIST SP 800-53, Recommended Security Controls for Federal Information Systems,\n        identifies 172 controls within 17 security control families. PBGC identified 130 of these\n        controls as their common security controls. While PBGC has stated they anticipate\n        completion of their corrective actions in early 2015, as of the end of FY 2012, they have not\n\n\n\n                                                  7   \xc2\xa0\n\xc2\xa0\n\x0c\xc2\xa0\n\n\n        documented the details of the specific actions needed to complete and confirm the design,\n        implementation, and operating effectiveness of these identified common security controls.\n\n    \xef\x82\xb7   Weaknesses in PBGC\xe2\x80\x99s infrastructure design and deployment strategy for systems and\n        applications adversely affected its ability to effectively implement common security controls\n        across its systems and applications. Without full development and implementation, security\n        controls are inadequate; responsibilities are unclear, misunderstood, and improperly\n        implemented; and controls are inconsistently applied. Such conditions lead to insufficient\n        protection of sensitive or critical resources or disproportionately high expenditures for\n        controls. PBGC realizes these challenges, and has identified and documented the\n        enterprise common security controls in the Agency Security Controls General Support\n        System (ASCGSS) System Security Plan. PBGC completed and approved the Infrastructure\n        Configuration Management Plan in FY 2012. The Corporation also approved its CCRM\n        process and procedures in FY 2012. The future implementation of these strategies is\n        designed to enable PBGC to implement a disciplined and integrated approach to CCRM,\n        eliminate inconsistencies and weaknesses in the implementation of the processes and\n        procedures and ensure compliance with the NIST SP 800-53, Rev 3 common controls.\n        However PBGC had not completed and confirmed the implementation, and operating\n        effectiveness of its common security controls; management cannot have confidence that the\n        controls were implemented.\n\n        Recommendations:\n\n        o   Effectively communicate to key decision makers the state of PBGC\xe2\x80\x99s IT infrastructure\n            and environment to facilitate the prioritization of resources to address fundamental\n            weaknesses. (OIG Control # FS-09-01) (PBGC scheduled completion date: June 30,\n            2013)\n\n        o   Document and execute the details of the specific actions needed to complete and\n            confirm the design, implementation, and operating effectiveness of all 130 identified\n            common security controls. (OIG Control # FS-08-01) (PBGC scheduled completion\n            date: February 28, 2015)\n\n        o   Develop a process to review and validate reported progress on the implementation of\n            the common security controls. Implement a strategy to test and document the\n            effectiveness of each new control implemented. (OIG Control # FS-09-02) (PBGC\n            scheduled completion date: September 30, 2012)\n\n        o   Develop and implement a well-designed security management program that will provide\n            security to the information and information systems that support the operations and\n            assets of the Corporation, including those managed by contractors or other federal\n            agencies. (OIG Control # FS-09-03) (PBGC scheduled completion date: September\n            30, 2012)\n\n        o   Complete the development and implementation of the redesign of PBGC\xe2\x80\x99s IT\n            infrastructure; and the procurement and implementation of technologies to support a\n            more coherent approach to providing information services and information system\n            management controls. (OIG Control # FS-09-04) (PBGC scheduled completion date:\n            February 28, 2015)\n\n\n\n                                                  8   \xc2\xa0\n\xc2\xa0\n\x0c\xc2\xa0\n\n\n        o   Implement an effective review process to validate the completion of the A&A packages\n            for all major applications. The review should not be performed by an individual\n            associated with the performance of the A&A, or by someone who could influence the\n            results. This review should be completed for all components of the work performed to\n            ensure substantial documentation is available that supports and validates the results\n            obtained. (OIG Control # FS-08-02) (PBGC scheduled completion date: June 30,\n            2013)\n\n        o   Ensure that adequate documentation is maintained which supports, substantiates, and\n            validates all results and conclusions reached in the A&A process for all major\n            applications. (OIG Control # FS-09-05) (PBGC scheduled completion date:\n            September 30, 2012)\n\n        o   Establish and implement comprehensive procedures and document the roles and\n            responsibilities that ensure oversight and accountability in the A&A review process for\n            major applications. Retain evidence of oversight reviews and take action to address\n            erroneous or unsupported reports of progress. (OIG Control # FS-09-06) (PBGC\n            scheduled completion date: September 30, 2012)\n\n        o   Maintain an accurate and authoritative inventory list of major applications and general\n            support systems. Ensure the list is disseminated to responsible staff and used\n            consistently throughout PBGC OIT operations. (OIG Control # FS-09-07) (PBGC\n            scheduled completion date: September 30, 2012)\n\n        o   Implement an independent and effective review process to validate the completion of the\n            A&A packages for all major applications. (OIG Control # FS-08-03) (PBGC scheduled\n            completion date: June 30, 2013)\n\n        o   Implement a documented, independent and effective review process to validate the\n            completion of the A&A packages for general support systems hosted on behalf of PBGC\n            by third party processors. The effective review should include examining host and\n            general controls risk assessments. (OIG Control # FS-08-03) (PBGC scheduled\n            completion date: September 30, 2012)\n\n    \xef\x82\xb7   Information security policies and procedures were not fully disseminated and implemented.\n        PBGC is not able to effectively enforce compliance for all needed security awareness\n        training. PBGC published SE-PRC-01-01, Security Awareness and Training Procedures, in\n        June 2012. It defines both annual security awareness requirements and role-based\n        requirements. Security incident response training is still in development and will be delivered\n        during FY 2013 for all staff involved in security incident management and response. PBGC\n        is in its second year of providing an online information security awareness module supplied\n        by an OMB-approved Information System Security Line of Business provider (OPM\xe2\x80\x99s Go\n        Learn Learning Management System platform). This enables more efficient tracking of staff\n        and contractors who have taken the module. PBGC fulfilled last year\xe2\x80\x99s requirement for\n        general security awareness training using this service. Role-based training for security is still\n        in the development stage. Lack of security awareness can lead to increased risk of security\n        breaches and exposure to fraud. Controls may not be placed in operation as mandated by\n        PBGC policies.\n\n\n\n\n                                                   9   \xc2\xa0\n\xc2\xa0\n\x0c\xc2\xa0\n\n\n        Recommendation:\n\n        o   Continue to disseminate the awareness of PBGC\xe2\x80\x99s security policies and procedures\n            through adequate training. (OIG Control # FS-07-04) (PBGC scheduled completion\n            date: September 30, 2012)\n\n    \xef\x82\xb7   PBGC has not executed ISAs or MOUs between all external organizations whose systems\n        interconnect with PBGC\xe2\x80\x99s systems. Controls to require such agreements do not exist. PBGC\n        is in the process of planning and documenting ISAs with all external organizations\xe2\x80\x99 systems.\n        In the absence of an ISA and MOU, either party (PBGC or external system owner) may be\n        unfamiliar with the technical requirements of the interconnection and the details that may be\n        required to provide overall security for systems that are interconnected.\n\n        Recommendation:\n\n        o   Develop controls and implement an ISA or MOU with all external organizations whose\n            systems connect to PBGC\xe2\x80\x99s systems. (OIG Control # FS-10-03) (PBGC scheduled\n            completion date: September 30, 2012)\n\n3. Access Controls and Configuration Management\n\n    Although access controls and configuration management controls are an integral part of an\n    effective information security management program, access controls remain a systemic problem\n    throughout PBGC. PBGC\xe2\x80\x99s decentralized approach to system development, system\n    deployments, and configuration management created an environment that lacks a cohesive\n    structure in which to implement controls and best practices. Weaknesses in the IT environment\n    contributed significantly to deficiencies in system configuration, segregation of duties, role-\n    based access controls, and monitoring. PBGC realizes these challenges, and is implementing a\n    disciplined and integrated approach through development of Configuration, Change, and\n    Release Management (CCRM) Process & Procedures consistent with NIST SP 800-53, Rev 3.\n    The Corporation has also developed and is implementing additional policies and procedures,\n    including deploying technical and configuration management tools. Technical tools have been\n    or are being deployed to better manage configuration of common operating platforms. Once\n    these tools are fully operational in the infrastructure, they will help ensure that controls related to\n    the configuration of infrastructure components remain consistent and provide alerting\n    capabilities when components are changed. Other complementary processes, such as the Tiger\n    Team focus on system scanning and vulnerability management, support PBGC\xe2\x80\x99s capability to\n    carefully document and validate system vulnerabilities and also provide evidence as to the\n    operating effectiveness of some technical common controls.\n\n    Access controls should be in place to consistently limit and detect inappropriate access to\n    computer resources (data, equipment, and facilities); and monitor access to computer\n    programs, data, equipment, and facilities. These controls protect against unauthorized\n    modification, disclosure, loss, or impairment. Such controls include both logical and physical\n    security controls to ensure that federal employees and contractors will be given only the access\n    privileges necessary to perform business functions. Federal Information Processing Standards\n    Publication (FIPS PUB) 200, Minimum Security Requirements for Federal Information and\n    Information Systems, specifies minimum access controls for federal systems. FIPS PUB 200\n    requires PBGC\xe2\x80\x99s information system owners to limit information system access to authorized\n    users.\n\n\n                                                    10   \xc2\xa0\n\xc2\xa0\n\x0c\xc2\xa0\n\n\n    Industry best practices, NIST SP 800-64, Security Considerations in the System Development\n    Life Cycle, and other federal guidance recognize the importance of configuration management\n    when developing and maintaining a system or network. Through configuration management, the\n    composition of a system is formally defined and tracked to ensure that an unauthorized change\n    is not introduced. Changes to an information system can have a significant impact on the\n    security of the system. Documenting information system changes and assessing the potential\n    impact on the security of the system, on an ongoing basis, is an essential aspect of maintaining\n    the security posture. An effective entity-wide configuration management and control policy, and\n    associated procedures, are essential to ensuring adequate consideration of the potential\n    security impact of specific changes to an information system. Configuration management and\n    control procedures are critical to establishing an initial baseline of hardware, software, and\n    firmware components for the entity, and subsequently controlling and maintaining an accurate\n    inventory of any changes to the system.\n\n    Inappropriate access and configuration management controls do not provide PBGC with\n    sufficient assurance that financial information and financial assets are adequately safeguarded\n    from inadvertent or deliberate misuse, fraudulent use, improper disclosure, or destruction.\n\n    The specific weaknesses we identified in prior years that contributed to the material weakness\n    identified in FY 2012 and our recommendations to correct them are as follows:\n\n    \xef\x82\xb7   PBGC\xe2\x80\x99s configuration management controls are labor intensive and ineffective.\n        Weaknesses in the design of PBGC\xe2\x80\x99s infrastructure and deployment strategy for systems\n        and applications created an environment where strong technical controls and best practices\n        cannot be effectively implemented. Configuration management controls are therefore\n        inconsistently implemented across PBGC\xe2\x80\x99s general support systems. PBGC\xe2\x80\x99s three IT\n        environments (development, test, and production) do not share common server\n        configurations; therefore, management cannot rely on results obtained in the development\n        or test environments prior to deployment in production. Overall, the PBGC environment\n        suffers from inadequate configuration, roles, privileges, logging, monitoring, file permissions,\n        and operating system access.\n\n    \xef\x82\xb7   PBGC\xe2\x80\x99s infrastructure does not adequately segregate the production, development and\n        testing environments. The current environment does not provide adequate controls in which\n        to implement an effective application development and change control program. Significant\n        weaknesses in configuration management noted in prior years and continuing throughout\n        FY 2012, included the following:\n\n        -   Sensitive program scripts and utilities, open directories, and unsafe service accounts\n            were not restricted.\n        -   Unnecessary network services and duplicate groups with privileged system access were\n            not removed.\n        -   Baseline security reports were not being created and reviewed.\n        -   Ownership of critical files, directories, and permissions were inappropriately configured.\n        -   The root account could be logged into from multiple virtual consoles.\n        -   The database replication from headquarters to the COOP installation is lacking in\n            functionality and completeness, and would require a significant amount of subject matter\n            expert manual intervention to failback to headquarters in the event of an actual system\n            failure.\n        -   Developers had access to sensitive information in production.\n\n\n                                                  11   \xc2\xa0\n\xc2\xa0\n\x0c\xc2\xa0\n\n\n        -   The IT system life cycle methodology is not consistently implemented across all projects\n            within PBGC. We reviewed the Product Quality Assurance audit summary of the HP\n            Service Manager 7 software implementation and noted that various critical components\n            were lacking such as:\n            o Weaknesses noted in the approval, configuration management and change control\n                processes.\n            o Failure to obtain approval signatures on key documents and test artifacts.\n            o Incomplete Requirements Traceability Matrix (RTM).\n            o Failure to update the RTM resulting in lack of traceability between the requirements\n                and the test cases.\n            o Lack of evidence that key test activities were conducted in the test environment as\n                planned.\n        -   Back out plans for reversing system changes, in case of an unexpected situation, are\n            not consistently documented.\n\n            PBGC recognized that the agency lacked a mechanism for controlling the flow of data\n            between the development, test and production environments. PBGC plans to implement\n            firewalls with associated policies and business rules to control the information flows\n            between environments. The Corporation developed a high-level conceptual design for\n            segregating the environments, the solution was accepted and procurement was issued\n            for hardware and services that will segregate the environments\n\n            In the interim, PBGC implemented the Access Control Lists (ACLs) that will act as static\n            firewalls until the comprehensive solution is fully implemented. The ACLs are intended to\n            control the flow of data between environments and stop any new flows from starting\n            unless there is an approved change request.\n\n    \xef\x82\xb7   PBGC has made improvement in developing baseline configuration management controls.\n        PBGC began implementing its CCRM process, procedures and diagrams in FY 2012,\n        establishing the guidance for how Configuration Items (CIs) are identified and baselines\n        established, how CI changes are controlled (Change Management) and managed through\n        environments (Release Management), and how CIs and baselines are verified and audited\n        using status accounting. The Change Management processes, procedures and diagrams\n        provide the governance structure as to which CI changes are authorized to be promoted\n        through various environments. The Corporation is in the process of deploying and/or\n        procuring automated tools to facilitate the execution of Configuration Management activities\n        with a specific emphasis in applying controls to authentication parameters to PBGC General\n        Support Systems and allowing for the manual review of noted deviations from baseline\n        settings. The tools will provide the capability to establish a baseline of CIs that exist at\n        PBGC and also the ability to monitor compliance with the configuration management\n        controls in an automated manner.\n\n    \xef\x82\xb7   Controls are not in place to ensure adequate consideration of the potential security impacts\n        due to specific changes to an information system or its surrounding environment. PBGC is\n        exposed to increased risk of data modification or deletion. Unauthorized changes could\n        occur undetected. Applications and critical business processes may not be restored in a\n        timely manner in the event of a disaster.\n\n\n\n\n                                                 12   \xc2\xa0\n\xc2\xa0\n\x0c\xc2\xa0\n\n\n        Recommendations:\n\n        o   Develop and implement procedures and processes for the consistent implementation of\n            common configuration management controls to minimize security weaknesses in\n            general support systems. (OIG Control # FS-07-07) (PBGC scheduled completion\n            date: October 31, 2013)\n\n        o   Develop and implement a coherent strategy for correcting IT infrastructure deficiencies\n            and a framework for implementing common security controls, and mitigating the\n            systemic issues related to access control by strengthening system configurations and\n            user account management for all of PBGC\xe2\x80\x99s information systems. (OIG Control # FS-\n            09-12) (PBGC scheduled completion date: October 31, 2013)\n\n        o   Establish baseline configuration standards for all of PBGC\xe2\x80\x99s systems. (OIG Control #\n            FS-09-13) (PBGC scheduled completion date: October 31, 2013)\n\n        o   Review configuration settings and document any discrepancies from the PBGC\n            configuration baseline. Develop and implement corrective actions for systems that do\n            not meet PBGC\xe2\x80\x99s configuration standards. (OIG Control # FS-09-14) (PBGC\n            scheduled completion date: October 31, 2013)\n\n        o   Ensure test, development and production databases are appropriately segregated to\n            protect sensitive information, and fully utilized to increase system performance. (OIG\n            Control # FS-09-15) (PBGC scheduled completion date: October 31, 2013)\n\n        o   Establish interim procedures to implement available compensating controls (such as\n            establishing a test team to verify developer changes in production) until a\n            comprehensive solution to adequately segregate test, development and production\n            databases can be implemented. (OIG Control # FS-09-16) (PBGC scheduled\n            completion date: October 31, 2013)\n\n    \xef\x82\xb7   PBGC\xe2\x80\x99s policies and practices have not effectively restricted the addition of unnecessary\n        and generic accounts to systems in production. Consequently, the number of unnecessary\n        and generic accounts grew over the years. Furthermore, PBGC\xe2\x80\x99s configuration\n        management weaknesses have contributed significantly to its inability to effectively\n        implement controls to ensure the consistent removal and locking out of generic or dormant\n        accounts. PBGC has made progress in the recertification and dormant Account Process.\n        However, not all major systems have gone through the recertification process such as those\n        in the Benefits Administration and Payment Department. Furthermore, the actual removal of\n        dormant accounts from systems is still a manual process and remains a risk to the\n        timeliness of effective removal. The lack of controls to remove/disable inactive accounts and\n        dormant accounts exposes PBGC\xe2\x80\x99s systems to exploitation and compromise. PBGC has\n        taken action to review generic accounts in the general support system, removing those that\n        are unnecessary, and approving those that are necessary; however, more work is needed to\n        ensure that all unnecessary and generic accounts are removed. Failure to identify and\n        remove unnecessary accounts from the system could result in PBGC\xe2\x80\x99s systems being at an\n        increased risk for unauthorized access, modification, or deletion of sensitive system and/or\n        participant information.\n\n\n\n\n                                                 13   \xc2\xa0\n\xc2\xa0\n\x0c\xc2\xa0\n\n\n        Recommendations:\n\n        o   Continue to remove unnecessary user and generic accounts. (OIG Control # FS-07-08)\n            (PBGC scheduled completion date: July 31, 2012)\n\n        o   Assess the risk associated with the lack of segregation of duties, password\n            management, and overall inadequate system configuration. Discuss risk with system\n            owners and implement compensating controls wherever possible. If compensating\n            controls cannot be implemented the system owner should sign-off indicating risk\n            acceptance. (OIG Control # FS-09-17) (PBGC scheduled completion date: February\n            15, 2013)\n\n        o   For the remaining systems, apply controls to remove/disable inactive and dormant\n            accounts after a specified period in accordance with the IAH. (OIG Control # FS-07-12)\n            (PBGC scheduled completion date: July 31, 2012)\n\n    \xef\x82\xb7   Some developers have access to the production environment, which exposes PBGC to the\n        risk of unauthorized modification of the application, the circumvention of critical controls, and\n        unnecessary access to sensitive data. Weaknesses in the design of PBGC\xe2\x80\x99s infrastructure\n        and deployment strategy for legacy systems and applications created an environment where\n        developers have unrestricted access to production. PBGC has identified the developers who\n        have access to particular production assets, and removed unnecessary developer access to\n        production. Service Desk tickets were submitted to re-establish necessary developer access\n        along with associated necessary Risk Acceptance forms. The Corporation now has\n        mechanisms in place within the automated Enterprise Local Area Network (eLAN) process\n        and records to document development team members\xe2\x80\x99 access. There is now a better\n        understanding of risks associated with developers\xe2\x80\x99 access to production to ensure access is\n        evaluated before granting. All developers\xe2\x80\x99 access to production has not been eliminated;\n        PBGC is in the process of implementing compensating controls to restrict developer\xe2\x80\x99s\n        access to production. However, PBGC has not fully resolved infrastructure design issues. In\n        the interim, PBGC implemented ACLs that will act as static firewalls until the comprehensive\n        solution is fully implemented.\n\n        Failure to appropriately restrict privileged access to the production environment could result\n        in unauthorized access/modification/deletion of sensitive system and/or participant\n        information, and the release of harmful codes into the production environment.\n\n        Recommendation:\n\n        o   Appropriately restrict developers\xe2\x80\x99 access to production environment to only temporary\n            emergency access. (OIG Control # FS-07-10) (PBGC scheduled completion date:\n            December 31, 2012)\n\n    \xef\x82\xb7   Controls are not consistently applied to ensure that authentication parameters for general\n        support systems (e.g. Novell, Windows, SUN Solaris, Oracle, etc.) and applications comply\n        with the Information Assurance Handbook (IAH). PBGC\xe2\x80\x99s decentralized approach to system\n        development and configuration management has made it particularly difficult to implement\n        consistent technical controls across PBGC\xe2\x80\x99s many systems, platforms, and applications.\n\n\n\n\n                                                   14   \xc2\xa0\n\xc2\xa0\n\x0c\xc2\xa0\n\n\n        Failure to follow secure build standards and reassign or remove unowned user files provides\n        internal and external attackers additional paths into PBGC\xe2\x80\x99s systems and could result in an\n        increased risk of unauthorized access, modification, or deletion of sensitive system and\n        participant information.\n\n        Recommendations:\n\n        o   Consistently apply controls to ensure that authentication parameters for PBGC\xe2\x80\x99s general\n            support systems (e.g. Novell, Windows, Sun Solaris, Oracle, etc.) and applications\n            comply with the IAH. (OIG Control # FS-07-11) (PBGC scheduled completion date:\n            July 31, 2014)\n\n        o   Implement a manual review process whereby OIT periodically reviews systems for\n            compliance with baseline settings. (OIG Control # FS-09-19) (PBGC scheduled\n            completion date: October 31, 2013)\n\n    \xef\x82\xb7   The OIT recertification process remains incomplete and does not include all user and\n        system accounts. In addition, the Recertification of User Access Process, version 4.0, does\n        not explicitly state that all accounts (e.g. user, system, and service) across all platforms and\n        applications will be recertified annually. PBGC\xe2\x80\x99s infrastructure design and configuration\n        management weaknesses have contributed significantly to its inability to effectively\n        implement controls to recertify all user and system accounts. The recertification process is\n        still undergoing changes to ensure all major information systems are reviewed. PBGC\n        implemented an automated eLAN workflow process at the end of FY 2011, which provided\n        another way for PBGC\xe2\x80\x99s customers to interact with the Service Desk and submit network\n        and application services (eLAN) access requests. Effective May 1, 2012, PBGC required\n        that users discontinue submitting paper eLAN forms and instead use the automated system,\n        except in situations where the automated system does not accommodate a user\xe2\x80\x99s unique\n        and specific access request due to services and functions that aren\xe2\x80\x99t available in PBGC\xe2\x80\x99s\n        current Service Catalog. In those cases, the Service Desk is prepared to assist the user with\n        the completion of the paper eLAN until the automated system can be modified. Current\n        plans are to incorporate additional workflow modifications, to eliminate the need for any\n        paper forms, into a planned Service Manager, version 7 to version 9 migration which is\n        scheduled for FY 2013.\n\n        Unauthorized users could gain access to PBGC\xe2\x80\x99s data and personally identifiable\n        information. Without periodic recertification of accounts (user, generic, service and system)\n        management does not have adequate assurance that only current authorized users have\n        access to PBGC resources.\n\n        Recommendation:\n\n        o   Complete the implementation of the recertification process for all user and system\n            accounts. Continue to perform annual recertification and include all PBGC\xe2\x80\x99s accounts\n            (e.g. user, generic, service, and systems accounts) for general support systems and\n            major applications. (OIG Control # FS-07-13) (PBGC scheduled completion date:\n            July 31, 2013)\n\n    \xef\x82\xb7   Vulnerabilities found in key databases and applications include weaknesses in\n        configuration, roles, privileges, auditing, file permissions, and operating system access.\n        These PBGC system vulnerabilities are caused by an ineffective deployment strategy in the\n\n                                                  15   \xc2\xa0\n\xc2\xa0\n\x0c\xc2\xa0\n\n\n        development, test, and production environments. Ineffective system deployments have\n        resulted in an environment that is in disarray. PBGC has deployed additional technical tools\n        to address this weakness, but requires additional cycle time to determine effectiveness.\n\n        Security control weaknesses and vulnerabilities in key databases remain unresolved. These\n        control weaknesses are scheduled to be corrected in 2013. These weaknesses expose\n        PBGC to increased risk of data modification or deletion. Unauthorized changes could occur\n        and not be detected.\n\n        Recommendations:\n\n        o   Implement controls to remedy vulnerabilities noted in key databases and applications\n            such as weaknesses in configuration, roles, privileges, auditing, file permissions, and\n            operating system access. (OIG Control # FS-07-14) (PBGC scheduled completion\n            date: October 31, 2013)\n\n        o   Implement controls to remedy weaknesses in the deployment of servers, applications,\n            and databases in the development, test, and production environments. (OIG Control #\n            FS-09-20) (PBGC scheduled completion date: October 1, 2014)\n\n    \xef\x82\xb7   Periodic logging and monitoring of security-related events for PBGC\xe2\x80\x99s applications were\n        inadequate for CFS, Premium Accounting System (PAS), Trust Accounting System (TAS),\n        Participant Records Information Systems Management (PRISM), and Integrated Present\n        Value of Future Benefits (IPVFB) systems. PBGC\xe2\x80\x99s IT infrastructure consists of multiple\n        legacy systems and applications (e.g. PAS, TAS, IPVFB, PRISM, etc.) that do not have a\n        coherent architecture for management and security.\n\n        Controls are not in place to ensure adequate consideration of the potential security impacts\n        due to specific changes to an information system or its surrounding environment. PBGC is\n        exposed to increased risk of data modification or deletion. Unauthorized changes could\n        occur, undetected.\n\n        Recommendation:\n\n        o   Implement a logging and monitoring process for application security-related events and\n            critical system modifications (e.g. CFS, PAS, TAS, PRISM, and IPVFB). (OIG Control #\n            FS-07-17) (PBGC scheduled completion date: April 30, 2013)\n\n    \xef\x82\xb7   The application virtualization/application delivery product used by PBGC\xe2\x80\x99s benefit payments\n        service provider to connect to its benefit payments system, PLUS, is not included in the\n        system boundary when conducting the A&A for the PLUS application. There is no\n        documented security plan, risk assessment, security controls testing and continuous\n        monitoring program for the application virtualization/application delivery product.\n\n    \xef\x82\xb7   Privileged TeamConnect group accounts use shared accounts to grant access to users. The\n        activity by these privileged users cannot be tracked and/or traced to an individual user.\n        Additionally, TeamConnect developers have access to both the development and\n        production system. Malicious changes could be made without detection.\n\n\n\n\n                                                 16   \xc2\xa0\n\xc2\xa0\n\x0c\xc2\xa0\n\n\n        Recommendations:\n\n        o   Include the application virtualization/application delivery product used by the benefit\n            payments service provider to access the PLUS application in the system boundary. (OIG\n            Control # FS-10-05) (PBGC scheduled completion date: TBD)\n\n        o   Establish unique accounts for each user in TeamConnect. (OIG Control # FS-11-02)\n            (PBGC scheduled completion date: TBD)\n\n        o   Restrict developer\xe2\x80\x99s access to production. (OIG Control # FS-11-03) (PBGC scheduled\n            completion date: September 30, 2012)\n\n        o   Implement a log review process that does not rely on the TeamConnect\xe2\x80\x99s developers\n            reviewing the logs. (OIG Control # FS-11-04) (PBGC scheduled completion date:\n            TBD)\n\n        o   Implement compensating controls for log and review of changes made by powerful\n            shared accounts. (OIG Control # FS-11-05) (PBGC scheduled completion date: TBD)\n\n4. Integrated Financial Management Systems\n\n    The risk of inaccurate, inconsistent, and redundant data is increased because PBGC lacks a\n    single integrated financial management system. The current system cannot be readily accessed\n    and used by financial and program managers without extensive manipulation, excessive manual\n    processing, and inefficient balancing of reports to reconcile disbursements, collections, and\n    general ledger data.\n\n    OMB Circular A-127, Financial Management Systems, requires that federal financial\n    management systems be designed to provide for effective and efficient interrelationships\n    between software, hardware, personnel, procedures, controls, and data contained within the\n    systems. The Circular states:\n\n        A financial system, hereafter referred to as a core financial system, is an information system\n        that may perform all financial functions including general ledger management, funds\n        management, payment management, receivable management, and cost management. The\n        core financial system is the system of record that maintains all transactions resulting from\n        financial events. It may be integrated through a common database or interfaced\n        electronically to meet defined data and processing requirements. The core financial system\n        is specifically used for collecting, processing, maintaining, transmitting, and reporting data\n        regarding financial events. Other uses include supporting financial planning, budgeting\n        activities, and preparing financial statements. Any data transfers to the core financial system\n        must be: traceable to the transaction source; posted to the core financial system in\n        accordance with applicable guidance from the Federal Accounting Standards Advisory\n        Board; and in the data format of the core financial system.\n\n    OMB\xe2\x80\x99s Office of Federal Financial Management, Core Financial System Requirements, lists the\n    following financial management system performance goals, outlined in the framework\n    document, applicable to all financial management systems. All financial management systems\n    must do the following:\n\n    \xef\x82\xb7   Demonstrate compliance with accounting standards and requirements.\n\n                                                  17   \xc2\xa0\n\xc2\xa0\n\x0c\xc2\xa0\n\n\n    \xef\x82\xb7   Provide timely, reliable, and complete financial management information for decision making\n        at all levels of government.\n\n    \xef\x82\xb7   Meet downstream information and reporting requirements with transaction processing data\n        linked to transaction engines.\n\n    \xef\x82\xb7   Accept standard information integration and electronic data to and from other internal,\n        government-wide, or private-sector processing environments.\n\n    \xef\x82\xb7   Provide for \xe2\x80\x9cone-time\xe2\x80\x9d data entry and reuse of transaction data to support downstream\n        integration, interfacing, or business and reporting requirements.\n\n    \xef\x82\xb7   Build security, internal controls, and accountability into processes and provide an audit trail.\n\n    \xef\x82\xb7   Be modular in design and built with reusability as an objective.\n\n    \xef\x82\xb7   Meet the needs for greater transparency and ready sharing of information.\n\n    \xef\x82\xb7   Scale to meet internal and external operational, reporting, and information requirements for\n        both small and large entities.\n\n    Because PBGC has not fully integrated its financial systems, PBGC\xe2\x80\x99s ability to accurately and\n    efficiently accumulate and summarize information required for internal and external financial\n    reporting is impacted. Many of the weaknesses included in this report were reported in prior\n    years. The specific weaknesses we found that contributed to the material weakness and our\n    recommendations to correct them are as follows:\n\n    Lack of standard data classifications and common data elements:\n\n    \xef\x82\xb7   PBGC continues to work towards a logical database model (Enterprise Data Model (EDM)).\n        Elements of the EDM include the general ledger, purchases, portfolio management, payroll,\n        investment management, financial institutions, budgeting, accounts receivable, and\n        accounts payable. Until the development and implementation of the EDM is complete, the\n        current systems have no centralized data catalog defining data elements or a common data\n        access method available for current databases.\n\n    \xef\x82\xb7   The current decentralized database structure may lead to erroneous financial and\n        participant data. For example, the same data elements are required to be reformatted or are\n        used for different purposes across PBGC's various applications.\n\n    \xef\x82\xb7   The current decentralized database structure may lead to the use of outdated financial or\n        participant data. Because participant data must be reformatted and distributed to multiple\n        PBGC systems, users may be relying on outdated information to make business decisions.\n\n    Duplication of transaction entry:\n\n    \xef\x82\xb7   Probable and multiemployer plan data initially entered into IPVFB must be manually\n        re-entered into a spreadsheet and then manually entered into CFS as adjusting journal\n        entries.\n\n\n                                                   18   \xc2\xa0\n\xc2\xa0\n\x0c\xc2\xa0\n\n\n    \xef\x82\xb7   Plan data initially entered into the Case Management System (CMS) application must be re-\n        entered into the TAS application's portfolio header.\n\n    \xef\x82\xb7   Plan contingency listings are determined using data extracted from PAS. However, plans\n        with multiple filings must be manually aggregated before the plans can be classified.\n\n    \xef\x82\xb7   Plan sponsor data address information must be manually entered into CFS to process\n        refunds.\n\n    Obsolete and antiquated technologies:\n\n    PBGC\xe2\x80\x99s information systems employ obsolete and antiquated technologies that pose additional\n    risk to the availability of financially significant systems. These technologies are unsupported and\n    add to the challenges to integrate PBGC\xe2\x80\x99s systems in an IT infrastructure that lacks a cohesive\n    architecture and design.\n\n    A federal agency\xe2\x80\x99s ability to effectively and efficiently maintain and modernize its existing IT\n    environment depends primarily on how well it employs certain IT management controls that are\n    embodied in statutory requirements, federal guidance, and best practices. Among other things,\n    these controls include strategic planning and performance measurement, portfolio-based\n    investment management, human capital management, enterprise architecture (and supporting\n    segment architecture) development and use, and responsibility and accountability for\n    modernization management.\n\n    If managed effectively, IT investments can have a dramatic impact on an organization\xe2\x80\x99s\n    performance and accountability. If not correctly managed, they can result in wasteful spending\n    and lost opportunities for achieving mission goals and improving mission performance. PBGC\n    had several false starts in modernizing its systems and applications that have either been\n    abandoned (such as the suspension of work on the Premium and Practitioner System to replace\n    PAS) or have been ineffective in leading to the integration of its financially significant systems.\n    Unless PBGC develops and implements a well designed IT architecture and infrastructure to\n    guide and constrain modernization projects, it risks investing time and resources in systems that\n    do not reflect the Corporation\xe2\x80\x99s priorities, are not well integrated, are potentially duplicative, and\n    do not optimally support mission operations and performance.\n\n    To its credit, PBGC began to develop an overall strategy, but much work remains before the\n    strategy can be completed and implemented. Steps PBGC has taken in FY 2012 include the\n    following:\n\n    \xef\x82\xb7   Continued work on its Enterprise Target Architecture (ETA), which provides the road map\n        for all PBGC system development and integration, including financial management system\n        integration.\n\n    \xef\x82\xb7   Implemented interface enhancements for CFS, including the payroll interface modernization,\n        procurement interface, travel interface, and invoice automation. These interfaces provide\n        additional automated capabilities for CFS and reduce the amount of manual data inputs for\n        certain transactions.\n\n    However, major work remains to be completed to provide PBGC with integrated financial\n    management capabilities. PBGC plans to implement the Trust Accounting and FY File System\n\n\n                                                   19   \xc2\xa0\n\xc2\xa0\n\x0c\xc2\xa0\n\n\n    (TAS) in January 2013, after completing the TAS user acceptance testing. The design of TAS is\n    based on an externally-hosted, commercial-off-the-shelf investment accounting package. TAS is\n    another step closer to financial management systems integration, as it replaces Portfolio\n    Accounting and Management (PAM), TIS, and FY File. TAS will replace the following existing\n    financial applications: PAM, FY File, Trust Interface System (TIS), and TIS Transfer.\n    Additionally, TAS will have automated interfaces with the CMS, CFS, and IPVFB. Lastly, PBGC\n    has identified future capabilities in its financial management to-be architecture including a\n    procurement system and an online budgeting system.\n\n    PBGC's IT initiatives include further corrective actions through the implementation of TAS and\n    the Premium and Practitioner System (PPS). Also during FY 2012, PBGC began the\n    development of PPS. PPS will be fully integrated with the Oracle eBusiness Suite COTS\n    solution used for PBGC's Consolidated Financial Systems, and will replace the PAS in\n    December 2013.\n\n       Recommendation:\n\n       o   PBGC needs to implement and execute a plan to integrate its financial management\n           systems in accordance with OMB Circular A-127. (OIG Control # FS-07-18) (PBGC\n           scheduled completion date: September 30, 2013)\n\n                                   ***********************************\n\nThe internal control report recommendations status is presented in Exhibit I.\n\nThis report is intended for the information and use of the management and Inspector General of\nPBGC and is not intended to be and should not be used by anyone other than these specified\nparties.\n\n\n\na\nCalverton, Maryland\nNovember 14, 2012\n\n\n\n\n                                                   20   \xc2\xa0\n\xc2\xa0\n\x0c\xc2\xa0\n\n\n               EXHIBIT I - Status of Internal Control Report Recommendations\n\nPrior Year Internal Control Report Recommendation Closed For FY 2012:\n\nRecommendation                Date Closed                  Original Report Number\n\nFS-07-09                      11/13/2012                   2008-2/FA-0034-2\nFS-07-15                      11/13/2012                   2008-2/FA-0034-2\nFS-07-16                      11/13/2012                   2008-2/FA-0034-2\nFS-09-08                      11/13/2012                   AUD-2010-2/FA-09-64-2\nFS-09-10                      11/13/2012                   AUD-2010-2/FA-09-64-2\nFS-09-18                      11/13/2012                   AUD-2010-2/FA-09-64-2\nFS-10-01                      11/13/2012                   AUD-2011-3/FA-10-69-2\nFS-10-02                      11/13/2012                   AUD-2011-3/FA-10-69-2\nFS-10-04                      11/13/2012                   AUD-2011-3/FA-10-69-2\nFS-11-01                      11/13/2012                   AUD-2012-2/FA-11-82-2\nFS-11-13                      11/13/2012                   AUD-2012-2/FA-11-82-2\nFS-11-14                      11/13/2012                   AUD-2012-2/FA-11-82-2\nFS-11-15                      11/13/2012                   AUD-2012-2/FA-11-82-2\nFS-11-17                      11/13/2012                   AUD-2012-2/FA-11-82-2\n\nPrior Year Internal Control Report Recommendation Moved to Management Letter\nDuring FY 2012:\n\nRecommendation                              Original Report Number\n\nFS-11-16                                    AUD-2012-2/FA-11-82-2\n\nOpen Recommendations as of September 30, 2012:\n\nRecommendation                              Report\n\nPrior Years'\nFS-07-04                                    2008-2/FA-0034-2\nFS-07-07                                    2008-2/FA-0034-2\nFS-07-08                                    2008-2/FA-0034-2\nFS-07-10                                    2008-2/FA-0034-2\nFS-07-11                                    2008-2/FA-0034-2\nFS-07-12                                    2008-2/FA-0034-2\nFS-07-13                                    2008-2/FA-0034-2\nFS-07-14                                    2008-2/FA-0034-2\nFS-07-17                                    2008-2/FA-0034-2\nFS-07-18                                    2008-2/FA-0034-2\nFS-08-01                                    AUD-2009-2/FA-08-49-2\nFS-08-02                                    AUD-2009-2/FA-08-49-2\nFS-08-03                                    AUD-2009-2/FA-08-49-2\nFS-08-03                                    AUD-2009-2/FA-08-49-2\nFS-09-01                                    AUD-2010-2/FA-09-64-2\nFS-09-02                                    AUD-2010-2/FA-09-64-2\n\n                                            21   \xc2\xa0\n\xc2\xa0\n\x0c\xc2\xa0\n\n\nRecommendation                              Report\n\nFS-09-03                                    AUD-2010-2/FA-09-64-2\nFS-09-04                                    AUD-2010-2/FA-09-64-2\nFS-09-05                                    AUD-2010-2/FA-09-64-2\nFS-09-06                                    AUD-2010-2/FA-09-64-2\nFS-09-07                                    AUD-2010-2/FA-09-64-2\nFS-09-09 1                                  AUD-2010-2/FA-09-64-2\nFS-09-11 1                                  AUD-2010-2/FA-09-64-2\nFS-09-12                                    AUD-2010-2/FA-09-64-2\nFS-09-13                                    AUD-2010-2/FA-09-64-2\nFS-09-14                                    AUD-2010-2/FA-09-64-2\nFS-09-15                                    AUD-2010-2/FA-09-64-2\nFS-09-16                                    AUD-2010-2/FA-09-64-2\nFS-09-17                                    AUD-2010-2/FA-09-64-2\nFS-09-19                                    AUD-2010-2/FA-09-64-2\nFS-09-20                                    AUD-2010-2/FA-09-64-2\nFS-10-03                                    AUD-2011-3/FA-10-69-2\nFS-10-05                                    AUD-2011-3/FA-10-69-2\nFS-11-02                                    AUD-2012-2/FA-11-82-2\nFS-11-03                                    AUD-2012-2/FA-11-82-2\nFS-11-04                                    AUD-2012-2/FA-11-82-2\nFS-11-05                                    AUD-2012-2/FA-11-82-2\nFS-11-06                                    AUD-2012-2/FA-11-82-2\nFS-11-07                                    AUD-2012-2/FA-11-82-2\nFS-11-08                                    AUD-2012-2/FA-11-82-2\nFS-11-09                                    AUD-2012-2/FA-11-82-2\nFS-11-10                                    AUD-2012-2/FA-11-82-2\nFS-11-11                                    AUD-2012-2/FA-11-82-2\nFS-11-12                                    AUD-2012-2/FA-11-82-2\nFY Ended September 30, 2012\nFS-12-01                                    AUD-2013-2/FA-12-88-2\nFS-12-02                                    AUD-2013-2/FA-12-88-2\nFS-12-03                                    AUD-2013-2/FA-12-88-2\nFS-12-04                                    AUD-2013-2/FA-12-88-2\nFS-12-05                                    AUD-2013-2/FA-12-88-2\n1\n    Recommendation remains open pending completion by management to acknowledge closure.\n     This recommendation was not included in the FY 2012 financial report.\n\n\n\n\n                                            22   \xc2\xa0\n\xc2\xa0\n\x0c   Report on Internal Controls Related to the\n    Pension Benefit Guaranty Corporation\xe2\x80\x99s\nFiscal Year 2012 and 2011 Financial Statements\n\n\n    Audit Report AUD-2013-2 / FA-12-88-2\n\n\n\n\n                 Section II\n\n        Management Comments\n\x0cThis page intentionally left blank.\n\x0c\x0c\x0c\x0cThis page intentionally left blank.\n\x0cIf you want to report or discuss confidentially any instance\n of misconduct, fraud, waste, abuse, or mismanagement,\n      please contact the Office of Inspector General.\n\n\n\n                       Telephone:\n            The Inspector General\xe2\x80\x99s HOTLINE\n                    1-800-303-9737\n\n  The deaf or hard of hearing, dial FRS (800) 877-8339\n   and give the Hotline number to the relay operator.\n\n\n\n                           Web:\n       http://oig.pbgc.gov/investigation/details.html\n\n\n\n                         Or Write:\n          Pension Benefit Guaranty Corporation\n               Office of Inspector General\n                     PO Box 34177\n             Washington, DC 20043-4177\n\x0c"